Accept the default origins pattern, which configures unattended-upgrade to install only stable and security upgrades.

Test it

First do a dry-run:

$ sudo unattended-upgrade -v -d --dry-run

If everything looks good, do a real run:

$ sudo unattended-upgrade -v -d

Email notifications

To get unattended-upgrade to send you email notifications you need to install a program that provides the mailx command
(the command that unattended-upgrade calls when it wants to send an email) and a Mail Transfer Agent (MTA) program (a program
that actually sends the emails, that the mailx command talks to), and make sure that the root user can send mails using the
mailx command.

I want an MTA that’s able to use the SMTP server of my email provider (Gmail, FastMail etc) so that it can send
emails to my real email account (rather than doing something like appending to files in /var/spool/mail/).

Tell unattended-upgrade what email address to send emails to. Edit /etc/apt/apt.conf.d/50unattended-upgrades and set
the Unattended-Upgrade::Mail setting:

Unattended-Upgrade::Mail "<YOU>@<YOUR_DOMAIN>"

Logging

Email notifications are better, but it’s worth knowing that unattended-upgrade logs everything in the
/var/log/unattended-upgrades/ directory. /var/log/unattended-upgrades/unattended-upgrades.log contains recent log entries.
Older log entries are in the log dir in gzip files. And there’s also a
/var/log/unattended-upgrades/unattended-upgrades-shutdown.log file.

Reboots

TODO: What’s the default behaviour when a reboot is required? Send an email?

You can set Unattended-Upgrade::Automatic-Reboot in /etc/apt/apt.conf.d/50unattended-upgrades to reboot automatically.

There’s also a reboot-notifier package but it seems to conflict with a bunch of Ubuntu and Gnome desktop packages.

New releases

TODO: How do you get it to email you or do the upgrade when a new release upgrade is available?

Hypothesis’s servers have a /etc/cron.weekly/update-notifier-common script containing
[ -x /usr/lib/ubuntu-releaseupgrader/release-upgrade-motd ] || exit 0 that does this, comes from the
update-notifier-common package which is a dependency of
update-notifier, but this seems to be installed by default. Is it enabled to send email notifications by default?